Official Solana JavaScript library compromised in supply chain attack, at least $184,000 taken

December 2, 2024

Official Solana JavaScript library compromised in supply chain attack, at least $184,000 taken

An attacker was able to compromise an account that had publish access for the official Solana web3.js library, which is widely used by dApps to read and write from the Solana blockchain. The library gets over 350,000 downloads per week from the popular JavaScript package manager npm.

Malicious versions of the library allowed exploiters to steal private keys and drain funds from dApps like various Solana bots.

Around $184,000 was stolen as a result of the compromise. Although it was caught fairly quickly, and the malicious code was removed from package managers, developers will need to update projects that used the malicious version of the library, and refresh any potentially exposed secrets.

"Solana Web3.js library backdoored to steal secret, private keys", Bleeping Computer [archive]